Re: [Fwd: Bug#184566: security threat to postgresql

On Fri, 2003-03-21 at 16:06, Oliver Elphick wrote:
> Is this paranoia, or is it a valid security point.  Any comments,
> please?

A little from column A, a little from column B, IMHO.

> if an application is linked against libpq, then the user is able to
> specify environmental variables to override the defaults

Note that this overrides the *default* -- if the application specifies
the full set of data of the host it wants to connect to, the
environmental vars shouldn't be used, AFAIK.

> if the user runs the program with the environment variable PORT set to
> 23423, he can install his own program on that port listening for the
> password! he can then use that password to connect to the real database
> and delete everything.

How is that any different than the user altering the database hostname
the client connects to, and setting up a fake DB server on that host?
Many database applications allow that...

Cheers,

Neil